cURL error 60 due to expired AddTrust certificate with openSSL 1.0

sandrab
(@rozijntje)

2 years, 10 months ago
My plugin uses WP_Http to make requests to another server. If this server has an SSL certificate from COMODO (now Sectigo), the WP request returns an error:

cURL error 60: SSL certificate problem: certificate has expired

This only happens on hosting environments with older openSSL (< 1.1.1), which I already saw on two lower-end shared hosts.

I found information from Sectigo explaining the AddTrust certificate is expired as of May 30. According to this information, it is not needed to reissue or reinstall the certificate on the server.

However, in slack I came across a discussion pointing to https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration, that explains, if I understand it correctly, that the server certificate should be fixed if it contains the expired AddTrust in the chain.

Also in this slack discussion it is pointed out that it would not help if WordPress would fix its ca-bundle.crt. I don’t understand why. If I temporarily remove the “AddTrust External Root” entry there, the error is gone.

I would like to understand better which side could/should do something to fix this. Possible candidates, I think:
- The server administrator could reinstall the certificate so the expired AddTrust is no longer part of the chain.
- WordPress could update its wp-includes/certificates/ca-bundle.crt, removing the AddTrust External Root entry
- The hosting company could update their openSSL version to > 1.1.1.
Any lights shining on this issue are most welcome… Thanks!
- This topic was modified 2 years, 10 months ago by sandrab.
- This topic was modified 2 years, 10 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Developing with WordPress topic

Viewing 2 replies - 1 through 2 (of 2 total)

Moderator Yui
(@fierevere)

永子

2 years, 10 months ago

The server administrator could reinstall the certificate so the expired AddTrust is no longer part of the chain.

this is the preferred way.
Most server administrator already done so and freed everyone else of the problems

The hosting company could update their openSSL version to > 1.1.1

They definitely should. Quoting OpenSSL site:

The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encourage to upgrade to 1.1.1 as soon as possible.

Can’t say much about WP CA bundle, but its slightly worse workaround than previous 2 methods mentioned.

Thread Starter sandrab
(@rozijntje)

2 years, 10 months ago

Thanks, @fierevere for your fast reply!

I will ask the server administrator to reinstall the certificate.

That will probably solve the issue in this particular case, but I keep wondering about the WordPress side. I don’t understand why the ca-bundle shipped inside WP should contain an expired entry, which at best has no effect and at worst kills the functionality to connect to an external server. Not everyone has control over either the external server or the hosting environment they are using. And it just does not make sense to keep it there in my (slightly simplistic) view of things.

I will keep this post unresolved in the hope that someone might explain the rationale about whether we would want to update the WP core ca-bundle or not.

Anyhow, thanks for your input – it also helped me getting my head around it some more. Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘cURL error 60 due to expired AddTrust certificate with openSSL 1.0’ is closed to new replies.

Views